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Abstract 

The Rabin public-key cryptosystem is revisited with a focus on the problem of identifying 
the encrypted message unambiguously for any pair of primes. Both theoretical and practical 
solutions are presented. The Rabin signature is also reconsidered and a deterministic padding 
mechanism is proposed. 
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1 Introduction 

In 1979, Michael Rabin fll] suggested a variant of RSA with public-key exponent 2, which he 
showed to be as secure as factoring. The encryption of a message m € Z* N is C = m 2 mod N, 
where N = pq is a product of two prime numbers, and the decryption is performed by solving the 
equation 

x 2 = C mod N , (1) 

which has four roots, thus for a complete decryption further information is needed to identify 
m among these roots. More precisely, for a fully automatic (deterministic) decryption we need 
at minimum two more bits (computed at the encryption stage) to identify m without ambiguity. 
The advantages of using this exponent 2, with respect to larger exponents, are: i) a smaller com- 
putational burden, and ii) solving (l} is equivalent to factor N. The disadvantages are: iii) the 
computation, at the encryption stage, of the information required to identify the right root, and 
the delivery of this information to the decryption stage, and iv) a vulnerability to chosen-plaintext 
attack 1H |9l [TH [15] • Several naive choice methods base the selection of the correct root on the 
message semantics, that is, they retain the root that corresponds to a message that looks most 
meaningful, or the root that contains a known string of bits. However, all these methods are ei- 
ther unusable, for example when the message is a secret key, or are only probabilistic, in any case 
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they affect the equivalence between breaking the Rabin scheme and factoring [4|. Nevertheless, 
for schemes using pairs of primes congruent 3 modulo 4 (Blum primes), Williams FTTH proposed 
a root identification scheme based on the computation of a Jacobi symbol, using an additional 
parameter in the public key, and two additional bits in the encrypted message. 

The Rabin cryptosystem may also be used to create a signature by exploiting the inverse 
mapping: in order to sign m the equation x 2 = m mod TV is solved and any of the four roots, say 
S, can be used to form the signed message (m, S). However, if x 2 = m mod N has no solution 
the signature cannot be directly generated; to overcome this issue, a random pad U is used until 
x 2 = mil mod N is solvable, and the signature is the triple (m, U, S) [10]|. A verifier compares 
S 2 with mil mod N and accepts the signature as valid when these two numbers are equal. For 
an application to electronic signature, an in-depth analysis on advantages /disadvantages can be 
found in 0. 

In the next Section we collect preliminary results concerning the solutions of the equation Q} 
and the mathematics that we need. In Section 3, we describe in detail the Rabin scheme in the 
standard setting, where both prime factors of N are congruent 3 modulo 4, and also propose a 
new identification rule exploiting the Dedekind sums. In Section 4 we address the identification 
problem for any pair of primes. In Section 5 we describe a Rabin signature with deterministic 
padding. Lastly, in Section 6, we draw some conclusions. 

2 Preliminaries 

Let N = pqbe a product of two odd primes p and q. Using the generalized Euclidean algorithm to 
compute the greatest common divisor between p and q, two integer numbers, Ai , A2 G Z, such that 
Aip + \2Q = 1/ are efficiently computed. Thus, setting V>i = \2Q and -02 = ^iP, so that f/>i + V>2 = 1/ 
it is easily verified that %p\ and 1^2 satisfy the relations 

ipiife = mod iV 

tpl = V>i mod N (2) 
1P2 = 1P2 mod N . 

and that tpi = 1 mod p, ?/>i = mod q, and ^2 = mod p, ip2 = 1 mod q. According to the Chinese 
Reminder Theorem (CRT), using tpi and ip2, every element a in Z^r can be represented as 

a = a%tpi + a,2ip2 mod N , 

where a\ € Z p and 02 € Z g are calculated as a\ = a mod p , 02 = a mod q. 

The four roots xi,X2,X3,X4 G Zjy of Q}, represented as positive numbers, are obtained using 
the CRT from the roots u\ , 112 G Z p and v\,V2 G Z g of the two equations u 2 = C mod p and 
v 2 = C mod q, respectively. The roots u\ and U2 = p — u\ are of different parity, as well as v\ 
and V2 = q — v\. If p is congruent 3 modulo 4, the root u\ can be computed in deterministic 

polynomial-time as ±C 4 mod p; the same holds for q. If p is congruent 1 modulo 4, an equally 
simple algorithm is not known, however u\ can be computed in probabilistic polynomial-time 
using Tonelli's algorithm [2, p. 156] once a quadratic non-residue modulo p is known (this com- 
putation is the probabilistic part of the algorithm), or using the (probabilistic) Cantor-Zassenhaus 
algorithm 151 [13111611 to factor the polynomial u 2 — C modulo p. Using the previous notations, the 
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four roots of Q} can be written as 



xi = uxtpi + Viip2 mod N 

x 2 = uxipi + v 2 ip2 mod N 

xz = U2ifii + v i 1 p2 mod N 

x A = u 2 -0i + v 2 i>2 mod N . 

Lemma 1 Let N = pqbea product of two prime numbers. Let Cbea quadratic residue modulo N, the four 
roots xi,x 2 ,X3, X4 of the polynomial x 2 — C are partitioned into two sets %\ = {x\ , x 4 } and X 2 = {x2 , £3} 
such that the roots in the same set have different parity, i.e. x\ = 1 + X4 mod 2 and x 2 = 1 + X3 mod 2. 
Furthermore, assuming that u% and v\ in equation (O have the same parity, the residues modulo p and 
modulo q of each root in X\ have the same parity, while each root in 3t 2 has residues of different parity. 

PROOF. Since u\ and v\ have the same parity by assumption, then also u 2 and u 2 have the same 
parity. The connection between x\ and X4 is shown by the following chain of equalities 

x 4 = u 2 ipi + v 2 ip 2 = (p — "1)^1 + (q - vi)^2 = -x\ mod = - xi , 

because pipi = mod N and q^2 = mod N, and xi is less than N by assumption, thus — xi mod 
N = N — x\ is positive and less than N. A similar chain connects x 2 and X3 = N — x 2 ; the 
conclusion follows because N is odd and thus x\ and X4 as well as x 2 and X3 have different parity. 

□ 



2.1 The Mapping m : x -> x 2 

The mapping £H : x — > x 2 is four-to-one and partitions Z* N into disjoint subsets u of four elements 
specified by equation (0. Let it be the group of the four square roots of unity, that is the roots of 
x 2 — 1 consisting of the four-tuple 

il = {1, a, —a, —1} . 

Obviously, il is a group of order 4 and exponent 2. Each subset u, consisting of the four square 
roots of a given quadratic residue, may be described as a coset mil of il, i.e. 

u = mil = {m, am, —am, —m} . 

The number of these cosets is and they form a group which is isomorphic to a subgroup of 
Z* N of order <p(N)/4. Once a coset u = {xi, x 2 , X3, X4} is given, a problem is to identify (labelling) 
the four elements contained in it. 
By Lemma [T] each x» is identified by the pair of bits 

bp = (xj mod p) mod 2, and b q = (xj mod q) mod 2 . 

In summary, the table 



root 


b p 


b Q 


Xl 


u\ mod 2 


v± mod 2 


X2 


u\ mod 2 


V2 mod 2 


£3 


U2 mod 2 


v\ mod 2 


X4 


U2 mod 2 


i> 2 mod 2 
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shows that two bits identify (label) the four roots. On the other hand, the expression of these 
two bits involves the prime factorization of N, that is p and q, but when the factors of N are 
not available, it is no longer possible to compute these parity bits, and the problem is to find 
which parameters can be used and which is the minimum number of required additional bits to 
be disclosed in order to label a given root among the four ones. 

Adopting the convention introduced along with equation 10, a parity bit, namely 60 = %i m od 2 
distinguishes x\ from x±, and £2 from 23, therefore it may be one of the parameters to be used in 
identifying the four roots. It remains to find how to distinguish between roots having the same 
parity, without knowing the factors of N. 

2.2 Dedekind sums 

A Dedekind sum is denoted by s(h, k) and defined as follows [12 J . Let h, k be relatively prime and 
k > 1, then we set 



where the symbol ((x)), defined as 



rr x \\ = / x ~Y x \-\ if x is not an integer 
\ if x is an integer , 

denotes the well-known sawtooth function of period 1. The Dedekind sum satisfies the following 
properties, see BIEHlSl for proofs and details: 

1) h\ = fi2 mod k s(hi, k) = s(h-2, k) 

2) s(-h,k) = -s(h,k) 

3) s(h, k) + s(k, h) = — 3 + n + 7^: + \ )/ a property known as the reciprocity theorem for 
the Dedekind sums. 

4) 12ks(h, k) = k + 1 — 2 (^~j~^J m °d 8 for k odd, a property connecting Dedekind sums and 
Jacobi symbols. 

The properties 1), 2), and 3) allow us to compute a Dedekind sum by a method that mimics the 
Euclidean algorithm and has the same efficiency. In the sequel we need the following Lemma: 

Lemma 2 If k = 1 mod 4, then, for any h relatively prime with k, the denominator ofs(h, k) is odd. 
PROOF. In the definition of s(h, k) we can stop the summation to k — 1 because ( (—jr~ j j = 0, 



furthermore, from the identity ((— x)) = —((x)) it follows Ylj=i ( ( ~~J~ ) ) = f° r every integer 
h |12| , then we may write 



hj 



k-l 



*^E(f-ij(f-LlJ-ij-Ef(f 



fc-i 



1 \ J (hj 



'21 

k 
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since 



h3_ 

k 



is never 0, because j < k and h is relatively prime with k by hypothesis. The last 



summation can be split into the sum of two summations such that 

fc-i ■ / h - 

- the first summation > — I — 
^ k V k 



hi 

k 



has the denominator patently odd; 



the second summation is evaluated as 



2 ^ k 4 ' 

3=1 



In conclusion, the denominator of s(h, k) is odd because s(h, k) is a sum of a fraction with 

1 

□ 



odd denominator with — which is an integer number by hypothesis. 



3 Rabin scheme: primes p = q = 3 mod 4 

As said in the introduction, an important issue in using the Rabin scheme is the choice of the right 
root at the decrypting stage. When p = q = 3 mod 4, a solution to the identification problem was 
proposed by Williams 1 17] and is reported in the following, slightly modified from 1 10 1, along with 
three different solutions. 



3.1 Williams' scheme 

Williams HT0llT7| proposed an implementation of the Rabin cryptosystem using a parity bit and the 

i ( (p-m 

2 v 4 



Jacobi symbol. The decryption process is based on the observation that, setting D = ^ _|- 



1), if b = a 2 mod N and ^— ^— ^ = 1, we have a = ±b D , by Lemma 1 in IfTTll . 



Public-key: [N, S], where S is an integer such that 
Encrypted message [C, c\ , C2] , where 



S_ 

N 



Cl = 2 



m 



m = S Cl m mod iV , C2 = m mod 2 , and C = m 2 mod N 



Decryption stage : 

compute m' = C D mod N and iV — m! , and choose the number, m" say, with the parity 
specified by c^. The original message is recovered as 



m = S- Cl m" . 



3.2 A second scheme: Variant I 



We describe here a variant again exploiting the Jacobi symbol, but in a different way. The detailed 
process consists of the following steps 
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Public-key: [N]. 

Encrypted message [C, bo , bi], where 
C = m 2 mod N 



m mod 2 and b\ = — 

2 



1 + 



m 



Decryption stage : 

- compute, as in 10, the four roots, written as positive numbers, 

- take the two roots having the same parity specified by bo, say z\ and Z2, 

- compute the numbers 



1 + 



N 



1 + 



N 



and take the root corresponding to the number equal to b\ . 

Remark. The two additional bits are sufficient to uniquely identify m among the four roots be- 
cause, as previously observed, the roots have the same parity in pairs, and within each of these 
pairs the roots have opposite Jacobi symbol modulo N. In fact, roots with the same parity are of 
the form a\ijj\ + 02^2 and a\ipi ~ a 2^2 (or —aiipi + 02^2)/ whence the conclusion follows from 

ai-01 + «2^2 \ ( aii>\ + 02^2 \ ( + 0-2^2 



N l \ pq J \ p 
and the fact that —1 is a nonresidue modulo a Blum prime. 



P 



a 2 



(6) 



3.3 A second scheme: Variant II 

We recall here a second variant exploiting the Jacobi symbol which, at some extra computational 
costs and further information in the public key, requires the delivery of no further bit, since the 
information needed for a deterministic decryption is carried by the encrypted message itself \7\. 



Let £ be an integer such that ( — 



) = 1, for example £ = a 2 ipi — 4 , 2 mod N , with 



a G Z* N . The detailed process consists of the following steps 
Public-key: [iV,£]. 

Encrypted message [C], where C is obtained as follows 



C' = m 2 mod N 

Decryption stage : 

- compute do = \ 



m mod 2 



2 





( m \ 


1-1 




K N )\ 



and C = C'(-l) bl £ b ° mod N . 



- compute d\ 



C_ 

q 
c 



N 



, and set C" = C£ 



-do 



,and C = C"(-l) d i 

compute, as in (O, the four roots of C, written as positive numbers, 
take the root identified by do and d\ 

C 



Remark. Note that the Jacobi symbol 



N 



discloses the message parity to an eavesdropper. 
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3.4 A scheme based on Dedekind sums 

Let m G Zjv be the message to be encrypted, with N = pq, p = q = 3 mod 4. The detailed process 
consists of the following steps: 

Public-key: [N], 

Encrypted message [C, bo, b\\, where 

C = m 2 mod N , bo = m mod 2 , and b\ = s(m, N) mod 2 , 

where, due to Lemma [2J the Dedekind sum can be taken modulo 2 since the denominator is 
odd. 

Decryption stage : 

- compute, as in 10, the four roots, written as positive numbers, 

- take the two roots having the same parity specified by bo, say z\ and Z2, 

- compute the numbers 

s(zi,N) mod 2 s(z 2 ,N) mod 2, 
and take the root corresponding to the number equal to b\ . 

The algorithm works because s(z±, N) mod 2 ^ s(z2, N) mod 2 by the following Lemma. 
Lemma 3 If k is the product of two Blum primes p and q, (x±, k) = 1, and %2 = — 1^2), then 

s(x\ , k) + s(x2, k) = 1 mod 2 . 

Proof. 

By property 4), that compares the value of the Dedekind sum with the value of the Jacobi 
symbol, we have 

12Ns(x 1 ,N) = N + l-2^-^j mod 8 and 12Ns(x 2 , N) = N + 1 - 2 M|-J mod 8 ! 

summing the two expressions (member by member) and taking into account that N = 1 mod 4 we 
have 



12N(s( Xl ,N) + s(x 2 , AO) = 2N + 2 



Xl \ I X2 



N \ N 



mod 8 



since 12N = 4 mod 8, 2N = 2 mod 8. Now, we have previously shown that the sum of the two 
Jacobi symbols is 0, then, applying Lemma |H we have 

4(s(xi,N) + s(x 2 ,N)) = 4 mod 8 s(xi,N) + s(x 2 ,N) = 1 mod 2 , 

which concludes the proof. 

□ 



7 



4 Root identification for any pair of primes 



If p and q are not both Blum primes, the identification of m among the four roots of the equation 
x 2 — C, where C = m 2 mod N, can be given by the pair [60, &i] where 

bo = Xi mod 2 and 61 = (xi mod p) + (xi mod p) mod 2 , 

as a consequence of Lemma[TJ The bit 60 can be computed at the encryption stage without knowing 
p and q, while 61 requires, in this definition, the knowledge of p and q and cannot be directly 
computed knowing only N. 

In principle, a way to get 61 is to publish a pre-computed binary list (or table) that has in position 
% the bit b\ pertaining to the message m = i. This list does not disclose any useful information on 
the factorization of N, because, even if we know that the residues modulo p and modulo q have 
the same parity, we do not know which parity, and if these residues have different parity we do 
not know which parity of which residue. Although the list makes the task theoretically feasible, 
its size is of exponential complexity with respect to N and thus practically unrealizable. 

While searching for different ways of obtaining b\, or some other identifying information, 
several approaches have been investigated: 

• to extend the method of the previous section, based on quadratic residuacity, to any pair of 
primes, by using power residue symbols of higher order; unfortunately, we will show next 
that this endangers the security of the private key, that is the factorization of N. 

• to define a polynomial function that assumes the values in the above mentioned list at the 
corresponding integer positions; unfortunately this solution is not practical because this 
polynomial has a degree roughly equal to N, and is not sparse, then it is more complex 
than the list. 

• to exploit group isomorphisms; this approach will be described with some details because 
it could be of practical interest, although not being optimal, in that it relies on the hardness 
of the Discrete Logarithm problem and it may require to communicate more bits than the 
theoretical lower bound of 2. 

4.1 Residuacity 

In Section |3l the Jacobi symbol, i.e. the quadratic residuacity, was used to distinguish the roots in 
the Rabin cryptosystem, when p = q = 3 mod 4. For primes congruent 1 modulo 4, Legendre sym- 
bols cannot distinguish numbers of opposite sign, therefore quadratic residuacity is not sufficient 
anymore to identify the roots. Higher power residue symbols could in principle do the desired 
job, but unfortunately their use unveils the factorization of N, as the following argument shows. 

Let 2 k and 2 h be the even exponents of Z p and Z 9 , respectively, that is 2 k strictly divides (p— 1) 
and 2 h strictly divides q — 1, and assume that k > h. Then the rational power residue symbols 

x 2 fc mod p and x z h mod q can distinguish, respectively, between u\ and 112 and between v\ and 

V2, therefore the function xz k+h mod N would identify m among the 2 + 2 -th roots of unity 
in 7j* n . The idea would be to make these roots publicly available and label them, so that who 
sends the message can tell which of them corresponds to the message actually sent. There are two 
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problems: first the exponent ik+f; should also be available, but necessarily in some masked form 
in order to hide the factors of N, but most importantly among the public 2 fc -th roots of unity we 
would find the square roots, and in particular K = ipi — tp 2 - But the greatest common divisor of 
K + 1 = 2^i and N yields q, so N is factored. 

4.2 Polynomial function 

We may construct an identifying polynomial as an interpolation polynomial choosing a prime P 
greater than N . Actually the polynomial 

N-l 

L(x) = (l ~~ ( x — j) P1 ) (0 mod p) + (J mod q) mod 2) 
3=1 

assumes the value 1 in < m < N, if the residues of m modulo p and modulo q have differ- 
ent parity, and assumes the value elsewhere. Unfortunately, as said, the complexity of L{x) is 
prohibitive and makes this function practically useless. 

4.3 Group isomorphisms 

We have previously shown that in the Rabin scheme two more bits are sufficient for the decryption, 
and can be easily computed, when Blum primes are used. When non-Blum primes are used, 
instead, every known function that computes the two identifying bits is prohibitively complex. In 
this section, we describe a practical method that can have an acceptable complexity, although it 
requires a one-way function that might be weaker than factoring. 

A possible solution is to use a function t) defined from Z jy into a group & of the same order, 
and define a function Di such that Oi(xi) = d(x2)- The public key consists of the two functions 
d and Di. At the encryption stage both are evaluated at the same argument, the message m, and 
the minimum information necessary to distinguish their values is delivered together with the 
encrypted message. The decryption operations are obvious. The true limitation of this scheme is 
that t) must be a one-way function, otherwise two square roots that allow us to factor can be 
recovered as in the residuacity subsection. 

Following this approach, we propose the following solution, based on the hardness of com- 
puting discrete logarithms. 

Given N, let P = fj,N + 1 be a prime (the smallest prime), that certainly exists by Dirichlet's 
theorem |1 ], that is congruent 1 modulo N. Let g be a primitive element generating the multiplica- 
tive group Zp. 

Define g\ = and g2 = g^ 1- ^ 2 ), and let m denote the message, as usual. 
Public key: [N,g 1 ,g 2 ]. 

Encryption stage: [C, bo, di,d2,pi,P2], where C = m 2 mod N, bo = m mod 2, p\ is a position in 
the binary expansion of g™ mod P whose bit d\ is different from the bit in the corresponding 
position of the binary expansion of g™ mod P and p2 is a position in the binary expansion of 
g™ mod P whose bit d2 is different from the bit in the corresponding position of the binary 
expansion of g^™ 1 mod P. 
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Decryption stage : 

- compute, as in 10, the four roots, written as positive numbers, 

- take the two roots having the same parity specified by bo, say z\ and zi, 

- compute A = g^ 1 mod P and B = g^ 2 mod P - between z\ or Z2 the root is selected that has 
the correct bits d\ and d,2 in both the given position p\ and P2 of the binary expansion of A or 
B. 

The algorithm is justified by the following Lemma. 

Lemma 4 The power go = g^ generates a group of order N in Zp, thus the correspondence x <-> 
establishes an isomorphism between a multiplicative subgroup ofZ* p and the additive group ofTL^. The 
jour roots of x 2 = C mod N, C = m 2 mod N are in a one-to-one correspondence with the four powers 
mod P, g m mod P, g ™^~^ mod P and g ~ m ^-^ mo d P. 

PROOF. The first part is due to the choice of P: the group generated by go has order N, thus, the 
isomorphism follows immediately. The second part is a consequence of Section l2Tl 

□ 

The price to pay is the costly arithmetic in GF(P), and the equivalence of the security of 
the Rabin cryptosystem with the hardness of factoring is now conditioned on the complexity of 
computing the discrete logarithm in Zp. 



5 The Rabin signature 



In the introduction, we anticipated that a Rabin signature of a message m may consists of a pair 
[n, S], however, if x 2 = m mod iV has no solution, this signature cannot be directly generated. To 
overcome this obstruction, a random pad U was proposed [10], and attempts are repeated until 
x 2 = mil mod N is solvable, and the signature is the triple (m, U, S), IfTOH . A verifier compares 
mU mod N with S 2 and accepts the signature as valid when these two numbers are equal. 

Aim of this section is to present a modified version of this scheme where U is computed 
deterministically. 

Now, the quadratic equation x 2 = m mod iV is solvable if and only if m is a quadratic residue 
modulo N, that is m is a quadratic residue modulo p and modulo q. When m is not a quadratic 
residue, we show below how to exploit the Jacobi symbol to compute a suitable pad and obtain 
quadratic residues modulo p and q. Let 



, mi 
/l = _ 2~ 



mi 
p 



1 

+ 2 



Writing m = miipi + m2^2, the equation 



1 + 



mi 
p 



, rn 2 



m 2 



1 

+ 2 



1 + 



m 2 



x 2 = (mxipi + rn 2 tp2)(Mi + h^2) = "il/i^i + m 2 f 2^2 
is always solvable modulo N because m\f\ and 771,2/2 are clearly quadratic residues modulo p and 

mi \ ( fl \ f 1TL2 \ ( h 



modulo q, respectively, since 



P 



P 



, so that 



mifi 



mi 



m 2 f2 



m 2 
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Note that if p and q are Blum primes, it is possible to choose f\ = f J and fa = 

Thus we can describe the following procedure: 

Public-key: N 

Signed message: [U, m, S], where U = R 2 [fiipi + j^V^] m od is the padding factor, with R a 
random number, and S is any solution of the equation x 2 = mil mod N 

Verification: compute mU mod N and S 2 mod N; the signature is valid if and only if these two 
numbers are equal. 

This signature scheme has several interesting features: 

1. the signature is possible using every pair of primes, therefore, it could be used with the 
modulo of any RSA public key, for example; 

2. different signatures of the same document are different; 

3. the verification needs only two multiplications, therefore it is fast enough to be used in au- 
thentication protocols. 



6 Conclusions and Remarks 



In principle, the Rabin scheme is very efficient because only one square is required for encryption, 
furthermore it is provable as secure as factoring. Nevertheless, it is well known (3J H5H that it 
presents some drawbacks, mainly due to the four-to-one mapping, that may discourage its use to 
conceal the content of a message, namely: 

• the root identification requires the delivery of additional information, which may not be 
easily computed, especially when not both primes are Blum primes; 

• many proposed root identification methods, based on the message semantics, have a proba- 
bilistic character and cannot be used in some circumstances; 

• the delivery of two bits together with the encrypted message exposes the process to active 
attacks by maliciously modifying these bits. For example, suppose an attacker A sends an 
encrypted message to B asking that the decrypted message be delivered to a third party C (a 
friend of A). If in the encrypted message the bit that identifies the root among the two roots 
of same parity had been deliberately changed, A can get a root from C that combined with 
the original message allows to factor the Rabin public-key. Even Variant II is not immune to 
those kind of active attacks. 

In conclusion, the Rabin scheme may come with some hindrance when used to conceal a mes- 
sage, while it seems effective when applied to generate electronic signature or as a hash function. 
However, the previous observations do not exclude the practical use of the Rabin scheme (as it is 
actually profitably done in some standardized protocols), when other properties like integrity and 
authenticity are to be taken care of, along with message secrecy, in a public-encryption protocol. 
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